Attack and defense world welpwn general gardet utilization

welpwn The topic is attacking and defending the world. Check the flow protection program first It's like a stack overflow, but there's no overflow. Then look at the echo function A little reverse, we can find that there is an array inside eval, which puts the first 16 of the previously read 0x400 bytes into s2. But it was launched when ...

Posted by ljschrenk on Mon, 07 Mar 2022 22:19:25 +0100

Make a desktop binary conversion (CONS) gadget python learning diary 2.28~3.6

2022 3.6 0 Beginning Trash Finally, the vegetable chicken's diary has been updated. This time it is a bit long. Teachers who want to see something useful can skip the catalog directly. I haven't written a diary for a long time. Did the chicken give up? Not really. Only chicken and vegetable have a new understanding of their dishes. jpg, d ...

Posted by bapi on Sun, 06 Mar 2022 18:51:17 +0100

2021 national college student information security competition WP (CISCN)

summary   as a trainee who has studied for less than a year, I took part in the national competition for the first time this year. I thought the title would be gentle, but I only made one pwn question in the end. Originally, there were two pwn questions, but I still lacked some knowledge or skills. I didn't do it, and then it was over ...

Posted by rupam_jaiswal on Wed, 09 Feb 2022 21:10:27 +0100

pwn stack overflow principle and my first exp

Stack position in memory Operating system kernel Stack area: the place where local variables are stored during program operation Grow down (high – > low) Shared library mapping area: when a program is dynamically linked, its dependent libraries will be mapped to this area Heap area: malloc or new applies for new space, whic ...

Posted by auro on Wed, 19 Jan 2022 23:11:25 +0100

[ctf wiki pwn] stackoverflow: ret2dlresolve Series 1 (_dl_runtime_resolve glibc source code analysis and practice)

1 _dl_runtime_resolve entry _ dl_runtime_resolve is implemented by assembly in glibc, in which the 32-bit entry point is / sysdeps / i386 / dl trampoline S. 64 bit entry point in / sysps_ 64/dl-trampoline. S. This paper mainly analyzes the 32-bit source code, version 2.23. From glibc online source website https://elixir.bootlin.com/glibc/ ...

Posted by tnkannan on Sun, 16 Jan 2022 00:33:45 +0100

[pwn learning] Canary's various bypassing postures

Method 1: get Canary by overwriting truncated characters principle Canary's low byte is designed to be \ x00, which is intended to prevent Canary from being read directly by read, write and other functions. The value of Canary can be read out by overwriting the low \ x00 through stack overflow. From the above analysis, we can sort out th ...

Posted by jimmyp3016 on Fri, 24 Dec 2021 19:27:31 +0100

TryHackMe learning notes - The Cod Caper

summary Continue the learning record of TryHackMe. This time, the target is The Cod Caper, and the content is from Web vulnerability exploitation to buffer overflow. After starting the target, the IP address of the target is 10.10 one hundred and sixty-two point one seven seven Port scan nmap port scan found 2 ports open nmap -Pn --o ...

Posted by Daisy Cutter on Sat, 18 Dec 2021 20:12:04 +0100

Introduction to kernel pwn ciscn2017_babydrive UAF

The first time to start the kernel problem depends on the reproduction of fmyy master's blog. After the reproduction, I have a general understanding of the use of uaf in the kernel. Problem solving steps: 1. Write a blog with a short talk. The topic gives us a compressed package and decompresses it. It is found that there is no vmlinux. Therefo ...

Posted by vimukthi on Sat, 18 Dec 2021 17:00:39 +0100

WMCTF 2021 pwn dy_maze writeup

  after three days of hard work (fishing and paddling √), WMCTF 2021 is finally over, and our Mengxin experience team has also achieved the top 30 results with the joint efforts of everyone, which is really beyond my expectation. However, for our first game, the results are the most important aspect. The seriousness and concentration ...

Posted by timtom3 on Sat, 18 Dec 2021 13:03:19 +0100